An x64 Linux bootkit that performs hardware spoofing and virtualbox hardening.
x0
is a hardware spoofing and virtualbox hardening solution that consists of 4 main components:
- Kernel Driver
- Bootkit Loader (UEFI Application)
- UEFI Bootkit (UEFI Runtime Driver)
- Userspace Command-line Companion Program
Only 2 of these components are crucial for x0
to work properly (UEFI bootkit and bootkitloader), the kernel driver is optional as it just provides extra features for the userspace client. The main purpose for the userspace client is for debugging the states of UEFI data structures post OS-boot, and other things.
On execution, the bootkit loader does 3 main things:
- Validate the UEFI driver (Check for invalid signatures, etc)
- Map the UEFI driver into memory and execute it
- Chainload BOOTX64
When the bootkit gets loaded, it performs of series of tasks depending on how it's configured:
- Hooking
GetVariable
andSetVariable
via swapping pointers in the system table, and then updating the CRC32 checksum - Creating an event for
SetVirtualAddressMap
which callsgRT->ConvertPointer(...)
to convert the pointer of the originalGetVariable
andSetVariable
to virtual mode - Scans the configuration tables in the system table (Depending on configuration)
- If the table gets found, then the bootkit will patch it (Depending on configuration)
At the end of all of this, BOOTX64
will be chainloaded so that we can boot into the OS.
- Patching SMBIOS tables
- Spoofing SecureBoot status
- Modification of UEFI variables containing data that could be used to detect a VirtualBox instance
- Locating the address of the UEFI runtime service table
- Locating the address of the SMBIOS table in kernel virtual memory
- Dumping and parsing the contents of the UEFI runtime service table
As of now the UEFI driver itself should work on Windows as well, but it may not be able to spoof SecureBoot. The bootkit can also be used for Windows, but you might have to edit the path to the bootloader that the bootkit loader will chainload. (src/loader/EfiLoad.h
)
The bootkit itself can be loaded individually and used to get around hardware-based bans on some games, however in the case that someone gets banned for using the bootkit to evade a ban for a game, I am not responsible for that. You have been warned.
- C
First, take a look at this tutorial from OSdev on how to setup EDK2: https://wiki.osdev.org/EDK2
Once you're done with that, make sure that you git clone
this repository within the EDK2 directory, and add
the paths to the .inf
files in the src
directory of the x0
folder into the [Components]
section in MdeModulePkg/MdeModulePkg.dsc
Once EDK2 is properly setup, you can compile x0
by executing the following script:
./build.sh
In order to install the bootkit (and load it), follow these instructions:
- Copy the compiled bootkit and bootkit loader (
x0.efi
andx0loader.efi
) into the EFI System Partition (AKA/boot/efi/EFI
) - Execute
systemctl --firmware-setup reboot
- Select the boot manager option and then select the 'EFI Shell' option
- Once booted in the EFI shell, enter the
fs0
mapping by runningfs0:
- Execute the following commands:
cd EFI
x0loader.efi
- The bootkit loader will load the bootkit and then boot into the OS
./x0client [-h, --help]
https://github.com/xmmword